CISO in the Wild: Stepping out of the C-Suite to Take on Server Compliance

August 24, 2015
| |
4 min read

The Many Goals and Roles of a CISO

The CISOs of the world, particularly those in large organizations, often sit high above the daily operational fray of systems management. They stay out of the wild, so to speak, of technical administration and compliance activities. Their days are frequently consumed with reacting to various issues and the management of policies, projects and personnel. They are also heavily engaged in instilling a culture in the organization that respects privacy and security, motivating sound decisions and appropriate actions.

These activities are, of course, vitally important in supporting the overall CISO mission of protecting the information, technology and services of the organization. It is quite natural for CISOs and their teams to be very adamant about the need to follow the various policies, guidelines and best practices, and the need to maintain high levels of operational compliance.

There is also a general reluctance to accept any pushback regarding established rules and their related compliance requirements. I imagine there are many times when one has been involved in a discussion, on one side of the table or the other, regarding why a certain requirement was not completed or why someone feels it is not feasible to adhere to a particular aspect of the policy. The short answer from the information security team is often: “It is a requirement; just make sure it is done.”

Walk a Mile in IT’s Shoes

While it is certainly true that the CISO role is challenging and demanding — for example, ensuring crucial security management capabilities are in place — so, too, are the roles that bear the direct responsibility for maintaining operational privacy, security and compliance of the environment. How often do we see a CISO in the wild, actually going through the processes that they demand of typical system administrators?

There is no better way to fully understand what your community goes through than to experience it for yourself. Recently, I was presented with an opportunity to do just that.

As I was consulting on system and security requirements for a new proof-of-concept (PoC) service from one of our research groups, I decided to further assist the team by taking on the initial setup of the new server from scratch. I would be going through the litany of server-related activities firsthand, from installation and registration to configuration and validation. I would personally utilize the various tools available and hopefully end up with a system compliant with our internal standards.

Behind the Server Deployment

I think a bit of additional background information is warranted here. The organization that we support is primarily focused on research and development (R&D). While there are some production-level hosting environments, the vast majority of systems are nonproduction. Our R&D workload can have significant variability when it comes to the needs of individual projects. Couple that diversity with a high rate and pace of change, and you have an environment that is frequently not conducive to standardized system images and common tooling.

I started off with a base Windows server image in our cloud hosting environment and then established some basic filtering in the Windows and network firewalls. A couple of the initial required registration tasks for the new system were relatively painless, although it would have been preferable to have them consolidated into a common tool. With the system now registered in the IT server database and the DNS service, it was time to move on to the installation of the required agent for endpoint management.

Making Installation a Reality

Installing the endpoint protection agent was a bit more involved, given the network compartment where the server was deployed. However, with some simple network filtering changes and mild modifications to the installation process, the agent was installed and operational. The solution was then used to easily push out the installation of the required antivirus application and deploy various patches for installed components.

Now the fun really kicked in, as I took the security policy document and began to work through the specific configuration requirements for a generic Windows server. The relatively specific configuration requirements, with over 100 items to confirm or change, took a considerable amount of time and effort.

Granted, there was a learning curve aspect to this for me personally, as I’m not a Windows system admin by trade. However, it was easy to see how time-consuming it is to perform these steps manually, even for a skilled admin. I realize that some automation could be added here, and there are some groups that do leverage automation for their projects, but there are still numerous situations where it is not currently available.

The fun continued as I moved on to work with the various compliance validation tools. I needed to get a bit more familiar with operating the console, but soon I was able to view and start addressing any configuration items that I may have missed and document false positives. I did the same with the results of the network vulnerability scanning tool.

Iteratively making changes and checking results during this phase also took a considerable amount of time. Once again, leveraging automation here would be highly desirable. I will also point out that, in general, our organization has made excellent use of the solution to significantly accelerate compliance activities.

The network infrastructure and security areas often create additional complications for server administrators when it comes to the enablement of IT services. However, in the case of this particular PoC server deployment, the impact was minimal.

The End Result

I am happy to report that I was able to establish an initially compliant nonproduction base server environment. I interacted with seven different environments and tools in order to successfully complete the task and expended a considerable amount of time and effort. I do have to point out that the actual Web application for this particular server was not yet installed. This will bring with it — you guessed it additional security and compliance activities. For now, I will leave this next phase of the deployment to the true technical professionals.

As I had hoped, this exercise turned out to be a valuable experience, and I look forward to the opportunity for similar experiences going forward. I now have a more intimate understanding of the process, procedures and tools related to security and compliance from the perspective of those who are immersed in them every day.

This has the advantage of increasing the effectiveness of the interaction and collaboration with the community, as well as improving the focus and effectiveness of future changes that we introduce in the areas of privacy, security and compliance. Perhaps in the future, sightings of a CISO in the wild will not be such a rare occurrence.

Bill Rippon
Chief Information Security Officer, IBM Research

Bill Rippon joined IBM in 1985 at the T.J. Watson Research Center, and has over 30 years of experience in the fields of information technology and services. ...
read more